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Maintaining privacy for transactions 
performable by a user device having a security module 

TECHNICAL FIELD 

The present invention is related to a method and system for maintaining privacy in 
5 transactions performable by a user device having a security module with a privacy certification 
authority and a verifier. Moreover, the invention is also related to a computer program element 
for performing the method and a computer program product stored on a computer usable 
medium for causing a computer to perform the method 

BACKGROUND OF THE INVENTION 

Computers have evolved to tools for many applications and service. In today's world a 
trustworthy computing environment becomes more and more a desire. Comprehensive trust, 
security, and privacy functions are required to establish multi-party tmst between devices, 
upon which content providers, application and service providers, consumers, enterprises and 
financial institutions, and particularly users can rely. 

For that, a trusted platform module (TPM) has been established. The role of the module is to 
offer protected storage, platform authentication, protected cryptographic processes and 
attestable state capabilities to provide a level of trast for the computing platform. The 
foundation of this trust is the certification by a recognized authority that the platform can be 
trasted for an intended purpose. A so-called trusted computing group (TCG) will further 
develop and promote open industry standard specifications for trusted computing hardware 
building blocks and software interfaces across multiple platforms, including PC's, servers, 
PDA's, and digital phones. This will enable more secure data storage, online business 
practices, and online conmierce transactions while protecting privacy and individual rights. 
Users will have more secure local data storage and a lower risk of identity theft from both 
external software attack and physical theft. 

To realized the functionality of attestable states, an issuer issues a certificate to the trusted 
platform module, hereafter also abbreviated as TPM, as to allow the TPM to later prove that it 
is a genuine TPM and therefore a verifying party can have confidence stated attested by the 

i 
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TPM. To allow the TPM to prove it is genuine without that the verifying party can identify the 
TPM, a so-called direct anonymous attestation (DAA) protocol has been specified by the 
trusted computing group. The protocol allows the TPM to convmce a verifying party that it 
obtained attestation by an issuer without revealing its identity. The protocol takes place in the 
5 following setting. The issuer has made available a public key (n, Ro» Ru S, Z). With each TPM 
a so-called endorsement key is associated* This key is an RSA encryption key pair, the secret 
key of which is available to the TPM. In order to get attestation, the TPM and the issuer mn a 
first protocol. During the protocol, the TPM sends the issuer values U = Rq^R/^ iS*' mod n and 
Ni = 4/^^-^, where A: is a system parameter and 0 is a so-called named base value determined 
10 by the issuer. Hie value U is authenticated using the TPM*s endorsement key. The TPM also 
proves to the issu^ that Nj is correctly computed w.r.t. J7, i.e., that they contain the same 
values of JO and/i. Having received U and iV/, the issuer chooses an appropriate prime e and a 
value v", computes the value 

A= {ZAJS'^f^''^ mod n 
15 and sends the TPM A, e, and v". The TPM sets v= v' + v" . Thus it turns out that 

A^Ro^rPS'^^Z (mod/i), 
i.e., the TPM has obtained attestation from the issuer. 

Now, the TPM can convince the verifying party with a second protocol, herein also referred to 
DAA-sign operation, that it has obtained attestation without identifying itself. That is, the 
20 verifying party only receives a value that the TPM computed as where k is the same 

system parameter and Cv is a base or named base value determined by the verifier, and a proof 
that tibe TPM possesses values A, v, yO, and/i such that 

A^Ro^rPS'^^Z (modn) and Ny^C/^^^ 

holds. It is noticed that the verifying party does not leam any of the values A, e, v, JO, and/i. 
25 The verifying party can either allow the TPM or the user's computer to choose the value Cv 
randomly, in which case the verifying party does not receive any information at all; or the 
verifying party can request that the value Cv be computed otherwise and fixed for a certain 
time period, in which case the verifying party is able to note whether tiie same TPM has 
contacted it before by checking whether it has seen a given Ny before. 
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Ih the execution of these two protocols, also a platform that uses the TPM takes part This 
platform receives values from the TPM, possibly modifies them, and forwards them to the 
issuer or the verifying party. The platform then receives (reply-)messages ffoba the issuer or 
the verifying party, possibly modifies them, and feeds them to the TPM, 

Using the same Cv with all TPM's and for a certain time period allows the verifying party to 
monitor whether some TPM overuses the service provided by the verifying party through 
monitoring how often a given value Nv is used and thus to identify TPM's that are no longer 
genuine. However, it also allows the verifying party to do profiling and thus to invade into the 
privacy of a TPM's user, which is not desirable. 

From the above it follows that there is still a need in the art for an improved protocol that 
prevents profiling and maintains privacy for transactions performable by the user device with 
parties while still allowing the verifying party to monitor overuse and identify rogue TPM's. 
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SUMMARY AND ADVANTAGES OF THE INVENTION 

la the foUowing are proposed a system and methods which prevent profiling and maintain 
privacy for transactions that are performed by a user device with a privacy certification 
authority and a verifier or verifying party, which typically is a verification computer* The user 
5 device has a security module, herein also referred to as trusted platform module (TPM), which 
allows platform authentication, protected cryptographic processes, and attestable state 
capabilities. In general, a frequency check is separated from the granting/request of a service, 
which is accessible upon a successful verification by the verifier. The privacy certification 
authority, that is a trusted third party (TIP), is used to perform the frequency check on the 

10 verifiers behalf and, if the check is successful, issues attestation values, e.g., as a token, to the 
user device and TPM that the user device with the TPM can then use to generate attestation- 
signature values to provide to the verifier and thereby convince the verifier that it has obtained 
such attestation values jBrom the TPP. The token should be useable only once (or at least a 
limited number of times) and should preferably be such that it can only be used with a single 

15 verifier and such that even when the verifier and the TTP collude, they cannot link the request 
to the service with the transaction in which the token was granted to user device with the 
TPM. Thus, if the verifier trusts the TTP, it is assured that it will only receive attestation- 
signature values from user devices with the TPMs that have not ovemsed its service. On the 
other hand, the user device with the TPM is guaranteed that the verifier cannot do profiling as 

20 they are assured that it cannot link the different service requests. Of course, the user device 
with the TPM should retrieve a fresh token from the TTP for each service request The user 
with the user device does not need to trust the TTP, the TTP and the verifier could even be the 
same entity. 

In accordance with die present invention, there is provided a system for maintaining privacy 
25 while computers performing transactions. The system comprises an issuer providing an issu^ 
public key PKi; a user device having a security module for generating a first set of attestation- 
signature values DAAl; a privacy certification authority computer for providing an authority 
public key PKpca and issuing second attestation values AV2; and a verification computer for 
checking the validity of the first set of attestation-signature values DAAl with the issuer 
30 public key PKi and the validity of a second set of attestation-signature values DAA2 with the 
authority public key PKpca> the second set of attestation-signature values DAA2 being 
derivable by the user device 20 from the second attestation values AV2, wherein it is 
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verifiable that the two sets of attestation-signature values DAAl, DAA2 relate to the user 
device. 

In accordance with a further aspect of the present invention, there is provided a method for 
maintaining privacy for transactions perfonnable by a user device having a security module 
5 with a privacy certification authority computer and a verification computer, the verification 
computer having obtained public keys PKpcA, PKi from the privacy certification authority 
computer eind firom an issuer that provides attestation of the security module. The method 
comprising the steps of: 

receiving a fijrst and second set of attestation-signature values DAAl, DAA2, the fixst set of 
10 attestation-signature values DAAl being generated by the user device using first attestation 
values AVI obtained from the issuer and the second set of attestation-signature values DAA2 
being generated by the user device using second attestation values AV2 obtained from the 
privacy certification authority computer; 

checking the validity of the first set of attestation-signature values DAAl with the public key 
15 PKi of the issuer; 

checking the validity of the second set of attestation-signature values DAA2 with the public 
key PKpcA of the privacy certification authority computer; and 

verifying whether or not die two sets of attestation-signature values DAAl, DAA2 relate to 
the user device. 

20 The system and method allow maintaining privacy for transactions which are performed by 
the user device as they allow splitting xiususe and a frequency check firom the request of any 
access. It is further advantageous that profiling by any of the parties is prevented. 

The step of verifying may comprise the step of verifying that a first value is derived from a 
base value, comprised in the first set of attestation-signature values DAAl, and identical to a 
25 second value fliat is derived from said base value and is comprised in the second set of 
attestation-signature values DAA2. This leads to a more secure system. 

The step of verifying may comprise the step of verifying a proof that the two attestation- 
signature values DAAl, DAA2 are based on the first and second attestation values AVI, AV2 
that are derived from at least one common value t. This again leads to a more secure system 
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and allows the user device to handle the second attestation values AV2 and the second 
attest^on-signature values DAA2 without using the security module. 

The base value can be different each time the method is applied, which guarantees 
unlinkability of transactions. 

5 The common value t might be derived from an endorsement key EK that is related to the 
security module. Also this leads to a more secure system, since the common value t is well 
defined and is assured to be different for each security module. 

In accordance with another aspect of the present invention, there is provided a method for 
10 maintaining privacy for transactions performable by a usct device having a security module 
with a privacy certification authority computer and a verification computer, the privacy 
certification authority computer having obtained a public key from an issuer that provides 
attestation of the security module. Hie method comprises the steps of: 

receiving an initial set of attestation-signature values DAAl' from the user device, the initial 
15 set of attestation-signature values DAAl' being generated by the user device using first 
attestation values AVI obtained from the issuer; 

checking the validity of the initial set of attestation-signature values DAAl with the public 
key of the issuer 

responsive to the checking step issuing second attestation values AV2 that relate to the initial 
20 set of attestation-signature values DAAl*; and 

providing the second attestation values AV2 to the user device, a second set of attestation- 
signature values DAA2 being derivable from the second attestation values AV2, 

wherein it is verifiable that a first set of attestation-signature values DAAl and the second set 
of attestation-signature values DAA2 relate to the user device, the first set of attestation- 
25 signature values DAAl is generatable by the user device using first attestation values AVI 
obtained from the issuer. 
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The step of issuing the second attestation values AV2 may further comprise the step of 
receiving a request value from the user device and verifying whether the request value relates 
to the initial set of attestation-signature values DAAl'. 

S In accordance with yet a further aspect of the present invention, there is provided a method for 
maintaining privacy for transactions performable by a user device having a security module 
with a privacy certification authority computer and an verification computer, the user device 
having obtained first attestation values AVI firom an issuer and second attestation values AV2 
firom the privacy certification authority computer. The method comprises the steps of: 

10 generating a first set of attestation-signature values DAAl by using the first attestation values 
AVI and a second set of attestation-signature values DAA2 by using the second attestation 
values AV2; and 

sending the first and second set of attestation-signature values DAAl, DAA2 to the 
verification computer, 

15 wherein the verification computer is able to check the validity of the first set of attestation- 
signature values DAAl with an issuer pubUc key PKi of the issuer, the validity of the second 
set of attestation-signature values DAA2 with an authority public key PKfca of the privacy 
c^tification authority computer, and 

to verify that the two sets of attestation-signature values DAAl, DAA2 relate to the user 

< 

20 device (20). 

The step of generating can comprise using an endorsement key EK that is related to the 
security module. 
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DESCRIPTION OF THE DRAWINGS 

Preferred embodiments of the invention are described in detail below, by way of example 
only» with reference to the following schematic drawings. 



FIG. 1 shows a schematic illustration of a scenario with an issuer, a user computer 

having a trusted platform module, a privacy certification authority, and a 
verifier. 



FIG. 2 shows the schematic illustration of Fig. 1 with the privacy certification 

authority and the verifier forming an entity. 



The drawings are provided for illustrative piuposes only. 
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DETAILED DESCRIPTION OF EMBODIMENTS 

Fig. 1 shows a schematic illustration of a scenario with an issuer 10 and a user device 20 
comprising a security module 22, that typically is a part of a user's computer. The user device 
20, also labeled with UC, is connected to a privacy c^fication authority computer 30, also 
5 labeled as PCA, and a verification computer 40, labeled with V« 

The issuer 10 provides an issuer public key PKi to the public, as indicated with a dotted 
parallelogram 12 that is labeled with PICi, and holds a list of endorsement keys EKi . • . EKn, 
each allocated to one security module comprised in a user device. Further, the issuer 10 
provides to the user device 20 with the security module 22 one particular endorsement key 

10 EKtpm* Moreover, as indicated on arrow 1, attestation values AVI are provided from the 
issuer 10 to the user device 20. The privacy certification authority computer 30 provides also a 
public key to the public, that here is called authority public key PKpcAf as indicated with a 
further dotted parallelogram 32 that is labeled with PKpca- The user device 20 with the 
security module 22, also labeled with TPM, generates a first set of attestation-signature values 

15 DAAl and sends these, as indicated by arrow 2 with *T)AAr= tl?^(AVl)", to the privacy 
certification authority computer 30 which then issues second attestation values AV2 back to 
the user device 20, as indicated by arrow 3. The open-hand symbol indicates here showing the . 
respective values to another party, which can be contemplated as token or signature. 

The user device 20 with the security module 22 generates the first set of attestation-signature 
20 values DAAl by using the first attestation values AVI, also referred to as issuer token AVI, 
and generates a second set of attestation-signature values DAA2 by using the second 
attestation values AV2, received from the privacy certification authority computer 30. The 
first and second set of attestation-signature values DAAl, DAA2 are then sent to the 
verification computer 40, as indicated by arrow 4 with •T^AAl = t^(AVl), DAA2 = t^(AV2y* 
25 in the figure. The verification computer 40 is able to check the validity of the first set of 
attestation-signature values DAAl with the issuer public key PKi of the issuer 10, the validity 
of the second set of attestation-signature values DAA2 with the authority public key PKpca of 
the privacy certification authority computer 30, and to verify that the two sets of attestation- 
signature values DAAl, DAA2 relate to the user device 20. By showing the first set of 
30 attestation-signature values DAAl to the verification computer 40, the user device 20 can 
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indicate the possession of the second attestation values AV2, the so-called authority token 
AV2. 

The following describes in more detail the implementation of the proposed method for 
maintaining privacy for transactions performable by the user device 20 with the privacy 
certification authority computer 30 and the verification computer 40. The verification 
computer 40, hereafter short verifier 40, may provide after a successful verification access to a 
service, data, or information. 

When the user device 20 with the security module 22, hereafter also referred to as trusted 
platform module (TPM), obtained attestation from the issuer 10, the issuer 10 computes a 
value A differently, i.e., it chooses some common value t that is unique for the user device 20 
(e.g., / could be the hash of the TPM's endorsement key), and computes 

A= (Z/U^'^Rz'f^''^ mod n, 

where R2 is an additional base value that is now also part of the issuer public key PKi. That is, 
the first attestation values AVI are (A,e,v") and are send to the user device 20 together with 
the value of t, where the conunon value t is not forward to the TPM. Next, the user device 20 
contacts the privacy certification authority computer 30, hereafter also referred to as third 
trusted party (TTP), and uses the DAA-sign operation of the TPM to convince the TIP that it 
obtained attestation from the issuer 10. However, the user device 20, also rcfened to as 
platform, hosting the TPM modifies the messages received from the TPM as to reflect the 
parameter t and the fact that the value A was differently computed by the issuer 10. Also, the 
part of the DAA-sign op^tion run by the TTP is modified to reflect these changes. Here, the 
TTP uses a named base value Cv that is the same with all TPMs, and thus user devices, and for 
a sufficiently long time-period so that the TTP can determine whether the TPMs or user 
devices are still valid, i.e., whether it has not seen a particular value of Ny too often. Then the 
TTP issues the user device 20 with the TPM the second attestation values AV2, also regarded 
as authority token AV2, that is related to the common value / of the TPM. 

This authority token AV2 should be issued in a way such that 1) the TTP does not leam any 
useful information about the common value r, 2) when the user device 20 uses the authority 
token AV2 with a verifier that use cannot be linked to the transaction in which the TTP of the 
user device 20 issued the authority token AV2, 3) the verifier 40 can verify that the authority 
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token AV2 the user device 20 or TPM uses is related to' some common value t that is 
comprised in the attestation the user device 20 obtained from the issuer 10, and 4) the user 
device 20 can use the authority token AV2 only once and only with a given verifier. 

These properties can in principle be achieved using so-called blind signature schemes, where 
. 5 the TIP blindly signs a message that depends on the common value the targeted verifier's 
identifier and possibly some random number chosen by the platform, i.e. the user device 20. 
The values received by the user device 20 are the second attestation values A V2, also referred 
to as authority token AV2. The user device 20 then tries to convince the TTP that the message 
indeed depends on the conunon value t Such blind signature protocols ensure that the TTP 
10 does not learn the message nor its signature. Thus, the user device 20 with the TPM can 
contact any verifier 40, execute the DAA-sign operation with the verifier 40 to obtain the first 

■ 

set of attestation*signature values DAAl (where again, the user device 20 modifies the 
messages obtained by the TPM suitably as to reflect that A was computed using the common 
value 0* where the named base value Cv should be random so that the verifier 40 cannot link 
IS different requests by the same user device 20 or TPM. Furthermore, the user device 20 sends 
the verifier 40 the message and its signatures as second set of attestation-signature valiies 
DAA2 it obtained ficom the TTP trough the blind-signing protocol, and convinces the verifier 
40 that the message is based on the common value t that is also contained in the attestation 

» 

values AVI obtained by the issuer 10 (upon which the first set of attestation-signature values 
20 DAA2 is based), the verifier's identifier and possibly some random number, where the random 
number can be learned by the verifier 40. If the verifier 40 has not seen the same random 
number (or the same message-signature pair) before^ it grants the request Otherwise it rejects 
it. 

Instead of using a blind signature scheme, the privacy certification authority computer 30, i,e. 

25 the TTP, could also use the following modification of the DAA-scheme. Let (n, Rp, Rj, R2, Rj, 
j£ Z) be the authority public key PKpca of the TTP. Then, die user device 20 with the TPM 
computes ^= Rp ""Rj^Rz Bi^^ and Ni =Q^^ where a, fc, and, c' are random values chosen by 
the user device 20, w is a value that depends on the targeted verifier and some random value r, 
e.g., w = SHAl (verifier ^id, r), where SHAI is a one-way hash function and is determined by 

30 the TTP. For these steps, the user device 20 could also involve the TTP. Next, the user device 
20 runs the DAA-sign operation w.r.t. the attestation values AVI obtained from the issuer 10 
and proves to the TTP that U and Ni_ were computed correctiy, in particular that t/ comprises 
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the same common value t as contained in the attestation values AVI the user device 20 has 
obtained from the issuer 10 and from which the attestation-signature values DAAl' are 
generated that the user device sent to the TTP, For this DAA-sign operation, the user device 
20 should again modify the messages from the TTP as to reflect that the issua 10 computes A 
5 using t. After this, the TTP choose a suitable e and c", computes 

A= {ZJUg'f^^ mod n 

and sends A , e, and as second attestation values AV2 to the user device 20. Having 
obtained these values, the user device 20 now can contact the verifier 10 and execute the 
DAA-sign operation (using the TPM as necessary), where the user device 20 modifies the 

10 messages from the TPM as to reflect that A (and possibly A) got computed involving t (and w). 
For these DAA-sign operations the named base value Cv should be randono. Also, the user 
device 20 sends the verifier 40 w and r, so that the verifier 40 can verify that w was computed 
correctly, and that it is contained in the attestation the user device 20 obtained from the TTP. 
Finally, the user device 20 proves to the verifier 40 that the attestation it obtained from the 

15 issuer 10 as well as the one it has obtained from the TTP comprises the same common values 
t. This proof can easily be performed by slightly adapting the DAA-sign operation, i.e., by the 
user device 20 choosing all values related to the common value t to be identical in both these 
DAA-sign operations and by the verifier 40 checking that these values are indeed identical. 

As the user with the user device 20 no longer needs to thmst the TTP. i,e, the privacy 
20 certification authority computer 30, that the TTP does not collude with the verifier 40, both 
entities could be incorporated into a single entity. Fig. 2 shows such a further embodiment in 
which the privacy certification authority 30 and the verification computer 40 form an entity 
SO. This might be advantageous for specific applications or services. 

Any disclosed embodiment may be combined with one or several of the other embodiments 
25 shown and/or described. This is also possible for one or more features of the embodiments. 

The present invention can be realized in hardware, sof tv/are, or a combination of hardware and 
software. Any kind of computer system - or other apparatus adapted for carrying out the 
method described herein - is suited. A typical combination of hardware and software could be 
a general puipose computer system with a computer program that, when being loaded and 
30 executed, controls the computer system such that it carries out the methods described herein. 
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The present invention can also be embedded in a coniputer program product, which comprises 
all the features enabling the implementation of the methods described herein, and which - 
when loaded in a computer system - is able to carry out these methods. 

Computer program means or computer program in the present context mean any expression, in 
any language, code or notation, of a set of instructions intended to cause a system having an 
information processing capability to perform a particular function either directly or after either 
or both of the following a) conversion to another language, code or notation; b) reproduction 
in a different mat^al form. 
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CLAIMS 

(Yerifier) 

1. A metitiod for maintaining privacy for transactions performable by a user device (20) 
5 having a security module (22) with a privacy certification authority computer (30) and a 
verification computer (40), the verification computer (40) having obtained public keys from 
the privacy certification authority computer (30) and from an issuer (10) that provides 
attestation of the security module (22), the method comprising the steps of: 

- receiving a first and second set of attestation-signature values ff)AAl, DAA2), the first set 
10 of attestation-signature values (DAAl) being generated by the user device (20) using first 

attestation values (AVI) obtained from the issuer (10) and the second set of attestation- 
signature values (DAA2) being generated by the user device (20) using second attestation 
values (AV2) obtained from the privacy certification authority computer (30); 

- checking the validity of the first set of attestation-signature values (DAAl) with the public 
15 key of the issuer (10); 

- checking the validity of the second set of attestation-signature values (DAA2) with the 
public key of the privacy certification authority computer (30); and 

- verifying whether or not the two sets of attestation-signature values (DAAl, DAA2) relat^ to 
the user device (20). 

20 2. The method according to claim 1, wherein the step of verifying comprises the step of: 
verifying that a first value is derived from a base value, comprised in the first set of 
attestation-signature values (DAAl), and identical to a second value that is derived from said 
base value and is comprised in the second set of attestation-signature values (DAA2). 

3. The method according to claim 1, wherein the step of verifying comprises the step of: 
25 verifying a proof that the two attestation-signature values (DAAl, DAA2) are based on the 
first and second attestation values (AVI, AV2) that are derived from at least one common 
value (<). 



i 



c;j:iy:^uu:5UUD» 

-15- 

4. The method according to claim 2, wherein the base value is different each time the 
method is applied. 

5. The method according to claim 3, wherein the common value (t) is derived from an 
endorsement key (EK) that is related to the security module (22). 

5 

(Privacy certification authority) 

6. A method for maintaining privacy for transactions performable by a user device (20) 
having a security module (22) with a privacy certification authority computer (30) and a 

10 verification computer (40), the privacy certification authority computer (30) having obtained a 
public key from an issuer (10) that provides attestation of the security module (22); the 
method comprising the steps of: 

- receiving an initial set of attestation-signature values (DAAl') from the user device (20), the 
initial set of attestation-signature values (DAAV) being generated by the user device (20) 

15 using first attestation values (AVI) obtained from the issuer (10); 

- checking the validity of the initial set of attestation-signature values (DAAl) with the public 
key of the issuer (10); 

- responsive to the checking step issuing second attestation values (AV2) that relate to the 
initial set of attestation-signature values (DAAl*); and 

20 - providing the second attestation values (AV2) to the user device (20), a second set of 
attestation-signature values (DAA2) being derivable firom the second attestation values (AV2), 

wherein it is verifiable that a first set of attestation-signature values (DAAl) and the second 
set of attestation-signature values (DAA2) relate to the user device (20), the first set of 
attestation-signature values (DAAl) is generatable by the user device (20) using first 
25 attestation values (AVI) obtained from the issuer (10). 

7. The method according to claim 6, wherein the step of issuing the second attestation values 
(AV2) further comprises the step of: receiving a request value from the user device (20) and 
verifying whether the request value relates to the initial set of attestation-signature values 
(DAAl'). 

30 
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(JJser computer) 

8. A method for main t ai n i n g privacy for transactions peifonnable by a user device (20) 
having a security module (22) with a privacy certification authority computer (30) and an 
verification conq)uter (40), the user device (20) having obtained first attestation values (AVI) 
from an issuer (10) and second attestation values (AV2) from the privacy certification 
authority computer (30), the method comprising the steps of: 

- generating a first set of attestation-signature values (DAAl) by using the first attestation 
values (AVI) and a second set of attestation-signature values (DAA2) by using the second 
attestation values (AV2); and 

- sending the first and second set of attestation-signature values (DAAl, DAA2) to the 
verification computer (40), 

wherein the verification computer (40) is able to check the validity of the first set of 
attestation-signature values (DAAl) with an issuer pubUc key (PKi) of the issuer (10), the 
validity of the second set of attestation-signature values (DAA2) with an audiority public key 
(PKpca) of the privacy certification authority computer (30), and 

to verify that the two sets of attestation-signature values (DAAl, DAA2) relate to the user 
device (20). 

m • 

9. The method according to claim 8, wherein the step of generating comprises using an 
endorsement key (EK) that is related to the security module (22). 

10. A computer program element comprising program code means for performing the method 
of any one of the claims 1 to 9 when said program is run on a computer. 

11. A computer program product stored on a computer usable medium, comprising computer 
readable program means for causing a computer to perform the method according to any one 
of the claims 1 to 9. 
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12. A system for maintaining privacy while computers performing transactions comprising: 
an issuer (10) providing an issuer public key (PKO; 

a user device (20) having a security module (22) for generating a first set of attestation- 
signature values (DAAl); 

a privacy certification authority computer (30) for providing an authority public key (PKpca) 
and issuing second attestation values (AV2); and 

a verification computer (40) for checking the validity of the first set of attestation-signature 
values (DAAl) with the issuer public key (PKi) and the validity of a second set of attestation- 
signature values (DAA2) with the authority public key (PKpca), the second set of attestation- 
signature values 0DAA2) being derivable by the user device (20) from the second attestation 
values (AV2), 

wherein it is verifiable that ttie two sets of attestation-signature values (DAAl, DAA2) relate 
to the user device (20). 



9|e :]( 



-18- 



ABSTRACT 



Maintaining privacy for transactions perfbrmable by a user device 

The present invention discloses a method and system for maintaining privacy for transactions 
perfonnable by a user device having a security module with a privacy certification authority 
and a verifier. The system comprises an issuer providing an issuer public key PKr; a user 
device having a security module for generatmg a first set of attestation-signature values 
DAAl; a privacy certification authority computer for providing an authority public key PKpca 
and issuing second attestation values AV2; and a verification computer for checking the 
vaUdity of the first set of attestation-signature values DAAl with the issuer pubUc key PKi and 
the validly of a second set of attestation-signature values DAA2 with the authority public key 
PKpcA, the second set of attestation-signature values DAA2 being derivable by the user device 
20 from the second attestation values AV2, wherein it is verifiable that the two sets of 
attestation-signature values DAAl, DAA2 relate to the user device. 
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Fig. 2 



